---
page_title: "cloudflare_api_token Resource - Cloudflare"
subcategory: ""
description: |-
  Provides a resource which manages Cloudflare API tokens.
  Read more about permission groups and their applicable scopes in the
  developer documentation https://developers.cloudflare.com/api/tokens/create/permissions.
---

# cloudflare_api_token (Resource)

Provides a resource which manages Cloudflare API tokens.

Read more about permission groups and their applicable scopes in the
[developer documentation](https://developers.cloudflare.com/api/tokens/create/permissions).

## Example Usage

```terraform
# User permissions
data "cloudflare_api_token_permission_groups" "all" {}

# Token allowed to create new tokens.
# Can only be used from specific ip range.
resource "cloudflare_api_token" "api_token_create" {
  name = "api_token_create"

  policy {
    permission_groups = [
      data.cloudflare_api_token_permission_groups.all.permissions["API Tokens Write"],
    ]
    resources = {
      "com.cloudflare.api.user.${var.user_id}" = "*"
    }
  }

  not_before = "2018-07-01T05:20:00Z"
  expires_on = "2020-01-01T00:00:00Z"

  condition {
    request_ip {
      in     = ["192.0.2.1/32"]
      not_in = ["198.51.100.1/32"]
    }
  }
}

# Account permissions
data "cloudflare_api_token_permission_groups" "all" {}

# Token allowed to read audit logs from all accounts.
resource "cloudflare_api_token" "logs_account_all" {
  name = "logs_account_all"

  policy {
    permission_groups = [
      data.cloudflare_api_token_permission_groups.all.permissions["Access: Audit Logs Read"],
    ]
    resources = {
      "com.cloudflare.api.account.*" = "*"
    }
  }
}

# Token allowed to read audit logs from specific account.
resource "cloudflare_api_token" "logs_account" {
  name = "logs_account"

  policy {
    permission_groups = [
      data.cloudflare_api_token_permission_groups.all.permissions["Access: Audit Logs Read"],
    ]
    resources = {
      "com.cloudflare.api.account.${var.account_id}" = "*"
    }
  }
}

# Zone permissions
data "cloudflare_api_token_permission_groups" "all" {}

# Token allowed to edit DNS entries and TLS certs for specific zone.
resource "cloudflare_api_token" "dns_tls_edit" {
  name = "dns_tls_edit"

  policy {
    permission_groups = [
      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"],
      data.cloudflare_api_token_permission_groups.all.permissions["SSL and Certificates Write"],
    ]
    resources = {
      "com.cloudflare.api.account.zone.${var.zone_id}" = "*"
    }
  }
}

# Token allowed to edit DNS entries for all zones except one.
resource "cloudflare_api_token" "dns_tls_edit_all_except_one" {
  name = "dns_tls_edit_all_except_one"

  # include all zones
  policy {
    permission_groups = [
      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"],
    ]
    resources = {
      "com.cloudflare.api.account.zone.*" = "*"
    }
  }

  # exclude (deny) specific zone
  policy {
    permission_groups = [
      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"],
    ]
    resources = {
      "com.cloudflare.api.account.zone.${var.zone_id}" = "*"
    }
    effect = "deny"
  }
}


# Token allowed to edit DNS entries for all zones from specific account.
resource "cloudflare_api_token" "dns_edit_all_account" {
  name = "dns_edit_all_account"

  # include all zones from specific account
  policy {
    permission_groups = [
      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"],
    ]
    resources = {
      "com.cloudflare.api.account.${var.account_id}" = jsonencode({
        "com.cloudflare.api.account.zone.*" = "*"
      })
    }
  }
}
```
<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `name` (String) Name of the API Token.
- `policy` (Block Set, Min: 1) Permissions policy. Multiple policy blocks can be defined. (see [below for nested schema](#nestedblock--policy))

### Optional

- `condition` (Block List, Max: 1) Conditions under which the token should be considered valid. (see [below for nested schema](#nestedblock--condition))
- `expires_on` (String) The expiration time on or after which the token MUST NOT be accepted for processing.
- `not_before` (String) The time before which the token MUST NOT be accepted for processing.

### Read-Only

- `id` (String) The ID of this resource.
- `issued_on` (String) Timestamp of when the token was issued.
- `modified_on` (String) Timestamp of when the token was last modified.
- `status` (String)
- `value` (String, Sensitive) The value of the API Token.

<a id="nestedblock--policy"></a>
### Nested Schema for `policy`

Required:

- `permission_groups` (Set of String) List of permissions groups IDs. See [documentation](https://developers.cloudflare.com/api/tokens/create/permissions) for more information.
- `resources` (Map of String) Describes what operations against which resources are allowed or denied.

Optional:

- `effect` (String) Effect of the policy. Available values: `allow`, `deny`. Defaults to `allow`.


<a id="nestedblock--condition"></a>
### Nested Schema for `condition`

Optional:

- `request_ip` (Block List, Max: 1) Request IP related conditions. (see [below for nested schema](#nestedblock--condition--request_ip))

<a id="nestedblock--condition--request_ip"></a>
### Nested Schema for `condition.request_ip`

Optional:

- `in` (Set of String) List of IP addresses or CIDR notation where the token may be used from. If not specified, the token will be valid for all IP addresses.
- `not_in` (Set of String) List of IP addresses or CIDR notation where the token should not be used from.


